Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x

2012-09-14 Thread Brian Braun
Hi, Is there a REAL solution to the "BEAST attack" (CVE-2011-3389) for Tomcat 7.x? For more info about this attack: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389 My toughts and questions, as far as I have investigated this issue: - Disabling the TLS1.0 protocol would be too restr

Re: SSL Vulnerability in Tomcat and/or JVM?

2012-09-14 Thread Brian Braun
Hi Dan, Thanks a lot for your response! Contacting them will not work. I have had false positives in the past and they just don't fix it. I need to do something on my side to solve this situation. I'm certainly NOT using OpenSSL. I'm using a Geotrust certificate, and therefore the JSSE implementat

[ANN] Apache Tomcat Maven Plugin 2.0

2012-09-14 Thread Olivier Lamy
Hi, The Apache Tomcat is pleased to announce the release of the 2.0 version. This plugin can used to run your war project inside an embeded Apache Tomcat and to deploy your project to a running Apache Tomcat instance. Documentation available: http://tomcat.apache.org/maven-plugin-2.0/index.html R

Re: Can't seem to get metadata-complete turned on

2012-09-14 Thread Mark Thomas
On 14/09/2012 17:36, Benson Margulies wrote: > On Fri, Sep 14, 2012 at 12:27 PM, Mark Thomas wrote: >> Benson Margulies wrote: >> >>> Apologies for the accidental use of HTML. >>> >>> The problem below is triggered by the facts that: >>> >>> a) spring-web contains a ServletContainerInitializer >>

Re: Can't seem to get metadata-complete turned on

2012-09-14 Thread Mark Thomas
On 14/09/2012 17:31, Benson Margulies wrote: > On Fri, Sep 14, 2012 at 12:27 PM, Mark Thomas wrote: >> Benson Margulies wrote: >> >>> Apologies for the accidental use of HTML. >>> >>> The problem below is triggered by the facts that: >>> >>> a) spring-web contains a ServletContainerInitializer >>

Re: Can't seem to get metadata-complete turned on

2012-09-14 Thread Benson Margulies
On Fri, Sep 14, 2012 at 12:27 PM, Mark Thomas wrote: > Benson Margulies wrote: > >>Apologies for the accidental use of HTML. >> >>The problem below is triggered by the facts that: >> >>a) spring-web contains a ServletContainerInitializer >>b) even with metadata-complete, tomcat does annotation sc

Re: Can't seem to get metadata-complete turned on

2012-09-14 Thread Benson Margulies
On Fri, Sep 14, 2012 at 12:27 PM, Mark Thomas wrote: > Benson Margulies wrote: > >>Apologies for the accidental use of HTML. >> >>The problem below is triggered by the facts that: >> >>a) spring-web contains a ServletContainerInitializer >>b) even with metadata-complete, tomcat does annotation sc

Re: Can't seem to get metadata-complete turned on

2012-09-14 Thread Mark Thomas
Benson Margulies wrote: >Apologies for the accidental use of HTML. > >The problem below is triggered by the facts that: > >a) spring-web contains a ServletContainerInitializer >b) even with metadata-complete, tomcat does annotation scanning once >it sees one of those Yes, this is a mandatory req

Re: Can't seem to get metadata-complete turned on

2012-09-14 Thread Benson Margulies
Apologies for the accidental use of HTML. The problem below is triggered by the facts that: a) spring-web contains a ServletContainerInitializer b) even with metadata-complete, tomcat does annotation scanning once it sees one of those c) In my embedded environment, there's a lot of real estate to

Can't seem to get metadata-complete turned on

2012-09-14 Thread Benson Margulies
I'm using tomcat 7.0.29, embedded. My web.xml web-app element looks like: http://java.sun.com/xml/ns/javaee"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd";

RE: SSL Vulnerability in Tomcat and/or JVM?

2012-09-14 Thread Dan
I experienced this exact same issue with McAfee secure scan. If you are you using JSSE as your provider you should be okay. You can submit this as a false positive scan and let them know you are using JSSE instead of OpenSSL. You can check to see which provider you are using by looking at your co

RE: Apache tomcat ( 7.0.19 ) stops processing user requests suddenly but works fine after restart.

2012-09-14 Thread balvindar dhaliwal
Hi, The issue seems similar to: http://www.tomcatexpert.com/ask-the-experts/tomcat-hangs-production-and-doesn%E2%80%99t-respond-new-http-requests https://issues.apache.org/bugzilla/show_bug.cgi?id=53173 Regards,Bal. From: balvind...@hotmail.com To: users@tomcat.apache.org Subject: RE: Apache t

Re: How to get heap dump of Tomcat running as windows service.

2012-09-14 Thread Brett Delle Grazie
On 14 September 2012 06:14, Aditi Sinha wrote: > Hi, > Please do not top-post - it makes the thread very confusing to read. > Tried below option. > jmap -J-Xmx512M -dump:format=b,file=heap.bin Tomcat heap = 512M according to your earlier post, is that correct? jmap heap = 512M (according to t

Re: How to send some requests to all tomcat cluster nodes from loadbalancer

2012-09-14 Thread Orhan Karasakal
Hi, Is not it possible that send ping from mod_jk to all tomcat nodes ? There is no need response from all nodes back to requester. It can be set status, for example when nodes get request for special url, status checked ok All I want that all nodes informed from special url request without messagi

SSL Vulnerability in Tomcat and/or JVM?

2012-09-14 Thread Brian Braun
Hi, In my site I’m using a certificate from www.securitymetrics.com. Today they disabled my certificate. This is supposed to be the main reason: Description: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability Synoposis: It may be possible to obtain sens